Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
1
Replies

Restrict user to exactly two commands, possible?

nerslynnn
Level 1
Level 1

‎07-15-2013 01:54 AM - edited ‎03-10-2019 08:38 PM

Hi!

I want to restrict a user, upon login, to exactly two commands on an IOS router:

1) show users

2) logout

The user must not have access to any other command in the CLI.

But I cannot figure out how to accomplish this.

(config)# username test privilege 0 password test

(config)# privilege exec level 0 show users not only enables the show users subcommand, but also gives access to the whole set of "show" subcommands. How do I allow exactly one subcommand to be available to a user?

If I issue (config)# privilege exec level 1 show afterwards, level 0 user for some reason loses access to the "show users" subcommand.

I've been banging my head against a wall for days. Is what I want to achieve even possible and if it is, how?

Labels:
0 Helpful
1 Reply 1

Eduardo Aliaga
Level 4
Level 4

‎07-15-2013 12:55 PM

Using "privileges" in CLI command is the old way to do "command authorization". I'm not sure if you can do what you want by using "privilege"

My recommendation is to use a TACACS server. You can easily do "command authorization" with a TACACS server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents